Amazon SCS-C02 AWS Certified Security - Specialty Exam Practice Test

Page: 1 / 14
Total 327 questions

Want more questions? Get Premium Access.
()

Question 1

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

AMake the following changes to NACL3:
* Add a rule that allows inbound traffic on port 5432 from NACL2.
* Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.
* Remove the default rules that allow all inbound and outbound traffic.

BMake the following changes to NACL3:
* Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
* Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
* Remove the default rules that allow all inbound and outbound traffic.

CMake the following changes to NACL2:
* Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.
* Remove the default rules that allow all inbound and outbound traffic.

DMake the following changes to NACL2:
* Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.
* Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Answer : B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.

Question 2

A company runs an online game on AWS. When players sign up for the game, their username and password credentials are stored in an Amazon Aurora database.

The number of users has grown to hundreds of thousands of players. The number of requests for password resets and login assistance has become a burden for the company's customer service team.

The company needs to implement a solution to give players another way to log in to the game. The solution must remove the burden of password resets and login assistance while securely protecting each player's credentials.

Which solution will meet these requirements?

AWhen a new player signs up, use an AWS Lambda function to automatically create an 1AM access key and a secret access key. Program the Lambda function to store the credentials on the player's device. Create 1AM keys for existing players.

BMigrate the player credentials from the Aurora database to AWS Secrets Manager. When a new player signs up. create a key-value pair in Secrets Manager for the player's user ID and password.

CConfigure Amazon Cognito user pools to federate access to the game with third-party identity providers (IdPs), such as social IdPs Migrate the game's authentication mechanism to Cognito.

DInstead of using usernames and passwords for authentication, issue API keys to new and existing players. Create an Amazon API Gateway API to give the game client access to the game's functionality.

Answer : C

The best solution to meet the company's requirements of offering an alternative login method while securely protecting player credentials and reducing the burden of password resets is to use Amazon Cognito with user pools. Amazon Cognito provides a fully managed service that facilitates the authentication, authorization, and user management for web and mobile applications. By configuring Amazon Cognito user pools to federate access with third-party Identity Providers (IdPs), such as social media platforms or Google, the company can allow users to sign in through these external IdPs, thereby eliminating the need for traditional username and password logins. This not only enhances user convenience but also offloads the responsibility of managing user credentials and the associated challenges like password resets to Amazon Cognito, thereby reducing the burden on the company's customer service team. Additionally, Amazon Cognito integrates seamlessly with other AWS services and follows best practices for security and compliance, ensuring that the player's credentials are protected.

Question 3

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege? (Select TWO.)

AConfigure and assign an MFA device to the role used by the instances.

BVerify that the SQS resource policy does not explicitly deny access to the role used by the instances.

CVerify that the access key attached to the role used by the instances is active.

DAttach the AmazonSQSFullAccest. managed policy to the role used by the instances.

EVerify that the role attached to the instances contains policies that allow access to the queue

Answer : B, E

The correct answer is B and E. To troubleshoot the issue, the security engineer should verify that the SQS resource policy does not explicitly deny access to the role used by the instances, and that the role attached to the instances contains policies that allow access to the queue. These actions will ensure that the instances have the necessary permissions to retrieve messages from Amazon SQS, while maintaining the principle of least privilege.

The other options are incorrect because they are either unnecessary or overly permissive. Option A is incorrect because configuring and assigning an MFA device to the role used by the instances is not required to access Amazon SQS.MFA is an optional security feature that adds an extra layer of protection on top of the user name and password1. Option C is incorrect because verifying that the access key attached to the role used by the instances is active is not relevant to the issue.Access keys are used to make programmatic requests to AWS services, not to retrieve messages from Amazon SQS2. Option D is incorrect because attaching the AmazonSQSFullAccess managed policy to the role used by the instances is overly permissive and violates the principle of least privilege.This policy grants full access to all Amazon SQS actions and resources, which may expose the instances to unnecessary risks3.

Question 4

A company is using an Amazon CloudFront distribution to deliver content from two origins. One origin is a dynamic application that is hosted on Amazon EC2 instances. The other origin is an Amazon S3 bucket for static assets.

A security analysis shows that HTTPS responses from the application do not comply with a security requirement to provide an X-Frame-Options HTTP header to prevent frame-related cross-site scripting attacks. A security engineer must ipake the full stack compliant by adding the missing HTTP header to the responses.

Which solution will meet these requirements?

ACreate a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event.

BCreate a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event.

CUpdate the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings.

DCustomize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.

Answer : A

The correct answer is A because it allows the security engineer to add the X-Frame-Options header to the HTTPS responses from the application origin without modifying the origin itself. A Lambda@Edge function is a Lambda function that runs in response to CloudFront events, such as viewer request, origin request, origin response, or viewer response.By configuring the function to run in response to the origin response event, the security engineer can modify the response headers that CloudFront receives from the origin before sending them to the viewer1.The function can include code to add the X-Frame-Options header with the desired value, such as DENY or SAMEORIGIN, to prevent frame-related cross-site scripting attacks2.

The other options are incorrect because they are either less efficient or less secure than option A) Option B is incorrect because configuring the Lambda@Edge function to run in response to the viewer request event is not optimal, as it adds latency to the request processing and does not modify the response headers that CloudFront receives from the origin. Option C is incorrect because adding X-Frame-Options to custom headers in the origin settings does not affect the response headers that CloudFront sends to the viewer.Custom headers are only used to send additional information to the origin when CloudFront forwards a request3. Option D is incorrect because customizing the EC2 hosted application to add the X-Frame-Options header to the responses requires changing the origin code, which may not be feasible or desirable for the security engineer.

Question 5

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at rest and pass the token to the Lambda function at runtime.

Which solution will meet these requirements MOST cost-effectively?

AStore the client token as a secret in AWS Secrets Manager. Use th^AWS SDK to retneve the secret in the Lambda function.

BConfigure a token-based Lambda authorizer in API Gateway.

CStore the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function.

DUse AWS Key Management Service (AWS KMS) to encrypt the client token. Pass the token to the Lambda function at runtime through an environment variable.

Answer : C

Question 6

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross- account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Choose three.)

AThe external ID used by the Auditor is missing or incorrect.

BThe Auditor is using the incorrect password.

CThe Auditor has not been granted sts:AssumeRole for the role in the destination account.

DThe Amazon EC2 role used by the Auditor must be set to the destination account role.

EThe secret key used by the Auditor is missing or incorrect.

FThe role ARN used by the Auditor is missing or incorrect.

Answer : A, C, F

The following may be causing the problem for the Auditor:

A) The external ID used by the Auditor is missing or incorrect. This is a possible cause, because the external ID is a unique identifier that is used to establish a trust relationship between the accounts. The external ID must match the one that is specified in the role's trust policy in the destination account1.

C) The Auditor has not been granted sts:AssumeRole for the role in the destination account. This is a possible cause, because sts:AssumeRole is the API action that allows the Auditor to assume the cross-account role and obtain temporary credentials. The Auditor must have an IAM policy that allows them to call sts:AssumeRole for the role ARN in the destination account2.

F) The role ARN used by the Auditor is missing or incorrect. This is a possible cause, because the role ARN is the Amazon Resource Name of the cross-account role that the Auditor wants to assume. The role ARN must be valid and exist in the destination account3.

Question 7

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

ADisable network ACLs.

BConfigure the security appliance's elastic network interface for promiscuous mode.

CDisable the Network Source/Destination check on the security appliance's elastic network interface

DPlace the security appliance in the public subnet with the internet gateway

Answer : C

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#eni-basics Source/destination checking 'You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.'

The correct answer is C) Disable the Network Source/Destination check on the security appliance's elastic network interface.

This answer is correct because disabling the Network Source/Destination check allows the virtual security appliance to route traffic that is not addressed to or from itself. By default, this check is enabled on all EC2 instances, and it prevents them from forwarding traffic that does not match their own IP or MAC addresses. However, for a virtual security appliance that acts as a router or a firewall, this check needs to be disabled, otherwise it will drop the traffic that it is supposed to route12.

The other options are incorrect because:

A) Disabling network ACLs is not a solution, because network ACLs are optional layers of security for the subnets in a VPC. They can be used to allow or deny traffic based on IP addresses and ports, but they do not affect the routing behavior of the virtual security appliance3.

B) Configuring the security appliance's elastic network interface for promiscuous mode is not a solution, because promiscuous mode is a mode for a network interface that causes it to pass all traffic it receives to the CPU, rather than passing only the frames that it is programmed to receive. Promiscuous mode is normally used for packet sniffing or monitoring, but it does not enable the network interface to route traffic4.

D) Placing the security appliance in the public subnet with the internet gateway is not a solution, because it does not address the routing issue of the virtual security appliance. The security appliance can be placed in either a public or a private subnet, depending on the network design and security requirements, but it still needs to have the Network Source/Destination check disabled to route traffic properly5.

1: Enabling or disabling source/destination checks - Amazon Elastic Compute Cloud 2: Virtual security appliance - Wikipedia 3: Network ACLs - Amazon Virtual Private Cloud 4: Promiscuous mode - Wikipedia 5: NAT instances - Amazon Virtual Private Cloud